Automattic\WooCommerce\Api\Infrastructure
GraphQLControllerBase::is_introspection_allowed
Check whether GraphQL introspection is allowed for this request.
The principal opts in via a can_introspect(): bool method; principals that don't declare it are denied by default. The decision is then passed through the woocommerce_graphql_can_introspect filter so sites can grant or revoke access without subclassing the principal — useful for per-request rules (specific IPs, headers, query parameters, etc.).
Fail-closed contract: the principal must be non-null (principal-resolution failures deny outright, before the filter is consulted), the principal method's return value is treated with === true, and any throw from either the principal method or the filter callback denies. The filter must likewise return strictly true to allow; any other value denies.
Method of the class: GraphQLControllerBase{}
Hooks from the method
Returns
null. Nothing (null).
Usage
// private - for code of main (parent) class only $result = $this->is_introspection_allowed( ?object $principal, $request ): bool;
- ?object $principal(required)
- .
- $request(WP_REST_Request) (required)
- The REST request.
GraphQLControllerBase::is_introspection_allowed() GraphQLControllerBase::is introspection allowed code WC 10.9.1
private function is_introspection_allowed( ?object $principal, \WP_REST_Request $request ): bool {
if ( is_null( $principal ) ) {
return false;
}
try {
$can_introspect = method_exists( $principal, 'can_introspect' )
&& true === $principal->can_introspect();
/**
* Filters whether the current principal may run GraphQL introspection.
*
* The filter receives the principal-derived decision (false when the
* principal doesn't declare `can_introspect()` or its `can_introspect()`
* doesn't return strictly `true`) and must return strictly `true` to
* grant access; any other return value denies. The filter is not
* invoked when principal resolution failed (i.e. when the controller
* passes a null principal) — that case denies outright.
*
* @since 10.9.0
*
* @internal
*
* @param bool $can_introspect Whether the principal can introspect, derived from `$principal->can_introspect()`.
* @param object $principal The resolved principal.
* @param \WP_REST_Request $request The REST request being processed.
*/
$can_introspect = apply_filters( 'woocommerce_graphql_can_introspect', $can_introspect, $principal, $request );
} catch ( \Throwable $e ) {
return false;
}
return true === $can_introspect;
}